Cybersecurity researchers have found a number of GitHub repositories offering cracked software used to deliver an information stealer called RisePro.
The campaign, code name github, includes 17 repositories associated with 11 different accounts, according to G DATA. The repositories in question have since been removed from the Microsoft-owned subsidiary.
“The repositories look similar and contain a README.md file with the promise of free cracked software,” the German cybersecurity firm said.
“Green and red circles are commonly used on Github to display the status of automated builds. Gitgub threat actors have added four Unicode green circles to their README.md that pretend to display a status next to a current date and provide a sense of legitimacy and relevance.”
The list of repositories is as follows, each of them points to a download link (“digitalxnetwork[.]com”) containing a RAR archive file –
- andreastanj/AVAST
- andreastanj/Sound-Booster
- aymenkort1990/fabfilter
- BenWebsite/-IObit-Smart-Defrag-Crack
- Faharnaqvi/VueScan-Crack
- javisolis123/Voicemod
- lolusuary/AOMEI-Backupper
- lolusuary/Daemon-Tools
- lolusuary/EaseUS-Partition-Master
- lolusuario/SOOTHE-2
- mostofakamaljoy/ccleaner
- rik0v/ManyCam
- Roccinhu/Tenorshare-Reiboot
- Roccinhu/Tenorshare-iCareFone
- True-Oblivion/AOMEI-Partition-Assistant
- vaibhavshiledar/droidkit
- vaibhavshiledar/TOON-BOOM-HARMONY
The RAR archive, which requires victims to provide a password mentioned in the repository’s README.md file, contains an installation file, which decompresses the next stage’s payload, an executable file that is bloated to 699 MB in an attempt to send crash analysis tools like IDA Pro.
The actual contents of the file, just 3.43 MB, serve as a loader to insert RisePro (version 1.6) into AppLaunch.exe or RegAsm.exe.
RisePro came to prominence in late 2022 when it was distributed using a pay-per-install (PPI) malware download service known as PrivateLoader.
Written in C++, it is designed to collect sensitive information from infected hosts and exfiltrate it over two Telegram channels, which are often used by threat actors to extract victim data. Interestingly, recent research from Checkmarx has shown that it is possible to infiltrate and forward messages from an attacker’s bot to another Telegram account.
The development comes as Splunk detailed the tactics and techniques employed by Snake Keylogger, describing it as a thieving malware that “employs a multi-faceted approach to data exfiltration”.
“Using FTP facilitates secure file transfer, while SMTP allows sending emails containing sensitive information,” Splunk said. “Additionally, the integration with Telegram offers a real-time communication platform, allowing for immediate transmission of stolen data.”
Malware stealers have become increasingly popular, often becoming the primary vector for ransomware and other high-impact data breaches. According to a Specops report published this week, RedLine, Vidar and Raccoon have emerged as the most used stealers, with RedLine alone accounting for the theft of more than 170.3 million passwords in the past six months.
“The current rise in information-stealing malware is a stark reminder of constantly evolving digital threats,” Flashpoint noted in January 2024. “While the motivations behind its use are almost always rooted in financial gain, thieves continually adapt while being more accessible and easier to use.”